The first bug tracked as CVE-2023-28205 allows attackers to take over a phone's browser app remotely - at which point attackers have a booby-trapped app that they can use to exploit the second bug tracked as CVE-2023-28206 to take over the entire device. That is the case with this bug, Ducklin said. But when attackers can combine a remote browser-busting bug with a local kernel-busting hole, they can sidestep the App Store problem entirely."
#APPLE SAFARI WEB BROWSER RISK BECOMING INSTALL#
It's also possible attackers chained the two vulnerabilities together - for example, exploiting WebKit and using it to pivot to the kernel vulnerability.Ī kernel-level bug relies on a booby-trapped app, which typically is a threat on its own against Apple devices, because of its strict App Store walled garden rule, making it hard for attackers to trick a victim into installing a rogue app.ĭucklin said a user won't go off-market and install an app from a secondary or unofficial source "even if you want to, so crooks would need to sneak their rogue app into the App Store first before they could attempt to talk you into installing it. Additionally, Apple's App Store rules mean that all browsers on iPhones and iPads must use WebKit, making this sort of bug a truly cross-browser problem for mobile Apple devices," Ducklin said. "Apple's own Safari browser uses WebKit, making it directly vulnerable to WebKit bugs. The apps uses "WebKit to show you web page previews, display help text, or even just to generate a good-looking About screen," Ducklin said. The WebKit vulnerability could give attackers control over a user's browser or any app that uses WebKit to render and display HTML content.
#APPLE SAFARI WEB BROWSER RISK BECOMING CODE#
It said unpatched exposure to "maliciously crafted web content may lead to arbitrary code execution." WebKit is Apple's web content display subsystem. The other vulnerability, tracked as CVE-2023-28205, is present in the open-source web browser engine WebKit, which is used across iOS and Apple devices.
While Apple said it is "aware of a report that this issue may have been actively exploited," it hasn't attributed such exploits to any specific cybercrime or nation-state group. "Typically, this can result in corruption of data, a crash or code execution," according to Mitre's Common Weakness Enumeration website. Out-of-bounds writing refers to writing data before the beginning or after the end of a buffer.
"Kernel code execution bugs are inevitably much more serious than app-level bugs, because the kernel is responsible for managing the security of the entire system, including what permissions apps can acquire, and how freely apps can share files and data between themselves." "This bug allows a booby-trapped local app to inject its own rogue code right into the operating system kernel itself," Ducklin said. Importantly, both vulnerabilities are described not only as leading to "arbitrary code execution," but also as 'actively exploited,' making them zero-day holes," Paul Ducklin, a security researcher at Sophos, said in a blog post.īecause of the out-of-bound write flaw, designated as CVE-2023-28206, in Apple’s IOSurfaceAccelerator display code, any iOS application may be able to execute arbitrary code with kernel privileges. "Two different bugs are addressed in these updates.
The latest zero-days affect iPhone 8 and later, all models of iPad Pro, iPad Air 3rd generation and later, iPad 5th generation and later, iPad mini 5th generation and later and Macs running macOS Ventura. The fixes addressed the same security issues discovered by Clément Lecigne of Google's Threat Analysis Group and Donncha Ó Cearbhaill of Amnesty International's Security Lab, according to an Apple security bulletin. See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources Apple issued security updates to address two zero-day vulnerabilities being actively exploited in the wild and targeting iPads, Macs and iPhones.
0 kommentar(er)
